A methodology wherein two different types of locks are used by a storage manager when multiple clients wish to access a particular redundantly-stored file. Simple byte-range based mutual exclusion (or mutex) locks are granted by the storage manager for data writes/updates to the file when the file is in the fault-free state, and individual readers/writers (R/W) locks are granted by the storage manager when the file is in the degraded state. No read locks are required of clients when the file object is in the fault-free state. During the fault-free state of the file object, when exactly one client is writing to the file object, the storage manger grants that file object a whole-file lock valid over the entire file object. Each client may have a client lock manager that interacts with appropriate storage manager lock manager to request and obtain necessary locks. These various locking mechanisms reduce lock-related network traffic in a data storage system.
|
3. A method of accessing redundant data contained in a file object in an object-based distributed data storage system, said method comprising:
allowing each executable application operating in said data storage system to access said redundant data using a corresponding first lock only when said executable application is performing a write operation on said redundant data in said file object and so long as said file object is in a fault-free state, wherein each said first lock allows a corresponding executable application to access said file object simultaneously with one or more other executable applications; and
requiring each said executable application to acquire a corresponding second lock or third lock over a corresponding byte range in said file object when performing a respective read or write operation on said redundant data in said file object so long as said file object is in a degraded state.
4. An object-based data storage system comprising:
means for allowing one or more executable applications operating in said data storage system to access data contained in a file object stored in said data storage system using a corresponding mutual-exclusion (mutex) lock only when each said executable application is performing a write operation on said data in said file object and so long as said file object is in a fault-free state, wherein each said mutex lock allows a corresponding executable application to access said file object simultaneously with one or more other executable applications;
means for allowing each said executable application to perform a read operation on said data without using a corresponding read lock therefor so long as said file object is in said fault-free state; and
means for requiring each said executable application to acquire a corresponding read lock or write lock over a corresponding byte range of said data in said file object when performing a respective read or write operation on said data in said file object so long as said file object is in a degraded state.
5. A method of accessing a file object stored in an object-based data storage system, said method comprising:
determining whether said file object is in a fault-free state or a degraded state;
performing the following if said file object is in said fault-free state:
granting a client computer a whole-file lock valid over entirety of said file object when said client computer is the only client computer in said data storage system writing to said file object,
granting a byte-range based mutual-exclusion lock to each client computer wishing to write to said file object in said data storage system when more than one client computer wishes to write to said file object, and
allowing each client computer in said data storage system to read said file object without requiring a corresponding read lock therefor; and
performing the following if said file object is in said degraded state:
requiring each client computer in said data storage system to obtain a corresponding byte-range based read lock or write lock on said file object for a respective data read or data write operation on said file object, and
granting each client computer said corresponding byte-range based read or write lock on said file object.
1. A method of accessing data contained in a file object that is at least partially
stored in an object-based secure disk (OBD) in an object-based distributed data storage system, said method comprising:
allowing one or more executable applications operating in said data storage system to access said data using a corresponding mutual-exclusion (mutex) lock only when each said executable application is performing a write operation on said data in said file object and so long as said file object is in a fault-free state, wherein each said mutex lock allows a corresponding executable application to access said file object simultaneously with one or more other executable applications;
further allowing each said executable application to perform a read operation on said data without using a corresponding read lock so long as said file object is in said fault-free state;
invalidating all read capabilities and write capabilities granted to said one or more executable applications to perform said read and write operations respectively when said file object transitions from said fault-free state into a degraded state; and
requiring each said executable application to acquire a corresponding read lock or write lock over a corresponding byte range of said data in said file object when performing a respective read or write operation on said data in said file object so long as said file object is in said degraded state.
2. The method of
|
This application claims priority benefits of prior filed co-pending and commonly-owned U.S. provisional patent applications Ser. No. 60/368,785, filed on Mar. 29, 2002, Ser. No. 60/372,026, filed on Apr. 12, 2002, and Ser. No. 60/372,024, filed on Apr. 12, 2002, the disclosures of all of them are incorporated herein by reference in their entireties.
1. Field of the Invention
The present invention generally relates to data storage systems and methods, and, more particularly, to a methodology for reducing redundancy-update lock communication overhead using whole-file and dual-mode locks in a distributed object-based data storage system.
2. Description of Related Art
In a distributed data storage system, servers and client computers may interact with each other and with data storage disks or other system agents in a pre-defined manner. For example, client computers may read from or write into the storage disks various types of data including, for example, normal application-specific data or redundant information being stored for fault tolerance. Various levels of RAID (Redundant Array of Independent Disks) may be implemented for desired storage system fault tolerance configuration. In any event, whenever the regular (non-redundant) data is modified, typical fault tolerance configurations (e.g., RAID) require that the redundant data be modified as well. If multiple independent threads of control (e.g., multiple client computers) wish to simultaneously modify redundant information, they must use some sort of conflict resolution strategy (e.g., locking) to assure that their independent updates do not conflict with each other and, hence, do not corrupt the redundantly-stored information. Thus, the term “lock”, as used hereinbelow, may be generally defined as a mechanism to regulate access to a file by multiple clients, wherein the file may contain non-redundant as well as redundant data.
In most data storage systems, the updating of redundant information is done under the control of exactly one computer. This arrangement reduces locking overhead because any communication it invokes is purely local to one computer. However, in modern distributed, network-based data storage architectures, locking may introduce a heavy burden of network communication between client computers and servers, which can greatly reduce system performance. For example, in some storage systems, lock-related network traffic may be present even when only one client computer is accessing a particular file. Therefore, it is desirable to reduce this lock-related traffic to the maximum extent possible in a distributed data storage system.
In some prior art data storage systems, a single type of lock would be used at all times whether the file to be accessed is in a fault-free state or in a degraded state (i.e., when the file is affected by the non-availability of one or more disks on which the data for that file is stored). In other words, such prior data storage systems do not change the locking strategy at the transition between the fault-free mode and the degraded mode. In those data storage systems, using a single locking strategy does not impose a heavy burden on the system because either (a) all operations are serially executed in a dedicated hardware controller, obviating the need for locking, or (b) all redundancy computations are performed on one computer, eliminating the need for network communication associated with lock acquisition and release. However, in certain distributed data storage architectures, such single locking strategy may not reduce lock-related network traffic and, hence, additional measures may be needed to reduce lock-related network communication overhead.
Therefore, it is desirable to devise a data storage methodology wherein the locking strategy employs different types of locks when a data-containing file transitions from a fault-free mode into a degraded mode and vice-versa. It is further desirable to minimize lock-related network traffic in the event that there is only one client computer accessing a particular file.
In one embodiment, the present invention contemplates a method of updating data contained in a file object stored in an object-based distributed data storage system. The method comprises receiving a request from a first requestor in the data storage system for updating a portion of the data in the file object; upon receipt of the request, determining whether a first write lock has been granted to a second requestor in the data storage system to update any portion of the data in the file object; and in the absence of the first write lock, granting a second write lock to the first requester, wherein the second write lock is valid over entirety of the file object, thereby allowing the first requester to update any portion of the data in the file object.
In another embodiment, the present invention contemplates a method of accessing redundant data contained in a file object in an object-based distributed data storage system. The method comprises allowing each executable application operating in the data storage system to access the redundant data using a corresponding first lock only when the executable application is performing a write operation on the redundant data in the file object and so long as the file object is in a fault-free state, wherein each first lock allows a corresponding executable application to access the file object simultaneously with one or more other executable applications; and requiring each executable application to acquire a corresponding second lock or third lock over a corresponding byte range in the file object when performing a respective read or write operation on the redundant data in the file object so long as the file object is in a degraded state.
Thus, according to the present invention, two different types of locks are used by a storage manager when multiple clients wish to access a particular redundantly-stored file. Simple byte-range based mutual exclusion (or mutex) locks are granted by the storage manager for data writes/updates to the file when the file is in the fault-free state, and individual readers/writers (R/W) locks are granted by the storage manager when the file is in the degraded state. No read locks are required of clients when the file object is in the fault-free state. Furthermore, during the fault-free state of the file object, when exactly one client is writing to the file object, the storage manger grants that file object a whole-file lock valid over the entire file object. Each client may have a client lock manager that interacts with appropriate storage manager lock manager to request and obtain necessary locks. These various locking mechanisms reduce lock-related network communication overhead in a distributed, object-based data storage system without compromising fault tolerance or recovery from fault conditions.
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention that together with the description serve to explain the principles of the invention. In the drawings:
Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings. It is to be understood that the figures and descriptions of the present invention included herein illustrate and describe elements that are of particular relevance to the present invention, while eliminating, for purposes of clarity, other elements found in typical data storage systems or networks.
It is worthy to note that any reference in the specification to “one embodiment” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase “in one embodiment” at various places in the specification do not necessarily all refer to the same embodiment.
The network 28 may be a LAN (Local Area Network), WAN (Wide Area Network), MAN (Metropolitan Area Network), SAN (Storage Area Network), wireless LAN, or any other suitable data communication network including a TCP/IP (Transmission Control Protocol/Internet Protocol) based network (e.g., the Internet). A client 24, 26 may be any computer (e.g., a personal computer or a workstation) electrically attached to the network 28 and running appropriate operating system software as well as client application software designed for the system 10.
The manager (or server) and client portions of the program code may be written in C, C++, or in any other compiled or interpreted language suitably selected. The client and manager software modules may be designed using standard software tools including, for example, compilers, linkers, assemblers, loaders, bug tracking systems, memory debugging systems, etc.
In one embodiment, the manager software and program codes running on the clients may be designed without knowledge of a specific network topology. In that case, the software routines may be executed in any given network environment, imparting software portability and flexibility in storage system designs. However, it is noted that a given network topology may be considered to optimize the performance of the software applications running on it. This may be achieved without necessarily designing the software exclusively tailored to a particular network configuration.
The fundamental abstraction exported by an OBD 12 is that of an “object,” which may be defined as a variably-sized ordered collection of bits. Contrary to the prior art block-based storage disks, OBDs do not export a sector interface (which guides the storage disk head to read or write a particular sector on the disk) at all during normal operation. Objects on an OBD can be created, removed, written, read, appended to, etc. OBDs do not make any information about particular disk geometry visible, and implement all layout optimizations internally, utilizing lower-level information than can be provided through an OBD's direct interface with the network 28. In one embodiment, each data file and each file directory in the file system 10 are stored using one or more OBD objects.
In a traditional networked storage system, a data storage device, such as a hard disk, is associated with a particular server or a particular server having a particular backup server. Thus, access to the data storage device is available only through the server associated with that data storage device. A client processor desiring access to the data storage device would, therefore, access the associated server through the network and the server would access the data storage device as requested by the client.
On the other hand, in the system 10 illustrated in
In one embodiment, the OBDs 12 themselves support a security model that allows for privacy (i.e., assurance that data cannot be eavesdropped while in flight between a client and an OBD), authenticity (i.e., assurance of the identity of the sender of a command), and integrity (i.e., assurance that in-flight data cannot be tampered with). The authenticity determination may be capability-based, whereas the privacy and integrity portions of the security model may be implemented using network-level encryption and/or digital signing. A manager grants a client the right to access the data storage (in one or more OBDs) by issuing to it a “capability.” Thus, a capability is a token that can be granted to a client by a manager and then presented to an OBD to authorize service. Clients may not create their own capabilities (this can be assured by using known cryptographic techniques), but rather receive them from managers and pass them along to the OBDs.
A capability is simply a description of allowed operations. A capability may be a set of bits (1's and 0's) placed in a predetermined order. The bit configuration for a capability may specify the operations for which that capability is valid. Thus, there may be a “read capability,” a “write capability,” a “set-attribute capability,” etc. Every command sent to an OBD may need to be accompanied by a valid capability of the appropriate type. A manager may produce a capability and then digitally sign it using a cryptographic key that is known to both the manager and the appropriate OBD, but unknown to the client. The client will submit the capability with its command to the OBD, which can then verify the signature using its copy of the key, and thereby confirm that the capability came from an authorized manager (one who knows the key) and that it has not been tampered with in flight. An OBD may itself use cryptographic techniques to confirm the validity of a capability and reject all commands that fail security checks. Thus, capabilities may be cryptographically “sealed” using “keys” known only to one or more of the managers 14–22 and the OBDs 12. A client may return the capability to the manager issuing it or discard the capability when the task associated with that capability is over.
A capability may also contain a field called the Authorization Status (AS), which can be used to revoke or temporarily disable a capability that has been granted to a client. Every object stored on an OBD may have an associated set of attributes, where the AS is also stored. Some of the major attributes for an object include: (1) a device_ID identifying, for example, the OBD storing that object and the file and storage managers managing that object; (2) an object-group_ID identifying the object group containing the object in question; and (3) an object_ID containing a number randomly generated (e.g., by a storage manager) to identify the object in question. If the AS contained in a capability does not exactly match the AS stored with the object, then the OBD may reject the access associated with that capability. A capability may be a “single-range” capability that contains a byte range over which it is valid and an expiration time. The client may be typically allowed to use a capability as many times as it likes during the lifetime of the capability. Alternatively, there may be a “valid exactly once” capability. Additional discussion about capability-based locking strategy according to the present invention is given hereinbelow with reference to
It is noted that in order to construct a capability (read, write, or any other type), the FM or SM may need to know the value of the AS field (the Authorization Status field) as stored in the object's attributes. If the FM or SM does not have these attributes cached from a previous operation, it will issue a GetAttr (“Get Attributes”) command to the necessary OBD(s) to retrieve the attributes. The OBDs may, in response, send the attributes to the FM or SM requesting them. The FM or SM may then issue the appropriate capability.
Logically speaking, various system “agents” (i.e., the clients 24, 26, the managers 14–22, and the OBDs 12) are independently-operating network entities. Day-to-day services related to individual files and directories are provided by file managers (FM) 14. The file manager 14 is responsible for all file- and directory-specific states. The file manager 14 creates, deletes and sets attributes on entities (i.e., files or directories) on clients' behalf. When clients want to access other entities on the network 28, the file manager performs the semantic portion of the security work—i.e., authenticating the requester and authorizing the access—and issuing capabilities to the clients. File managers 14 may be configured singly (i.e., having a single point of failure) or in failover configurations (e.g., machine B tracking machine A's state and if machine A fails, then taking over the administration of machine A's responsibilities until machine A is restored to service).
The primary responsibility of a storage manager (SM) 16 is the aggregation of OBDs for performance and fault tolerance. A system administrator (e.g., a human operator or software) may choose any layout or aggregation scheme for a particular object. The SM 16 may also serve capabilities allowing clients to perform their own I/O to objects (which allows a direct flow of data between an OBD and a client). The storage manager 16 may also determine exactly how each object will be laid out—i.e., on what OBD or OBDs that object will be stored, whether the object will be mirrored, striped, parity-protected (e.g., for fault tolerance), etc. This distinguishes a “virtual object” from a “physical object”. One virtual object (e.g., a file or a directory object) may be spanned over, for example, three physical objects (i.e., OBDs).
The storage access module (SAM) is a program code module that may be compiled into the managers as well as the clients. The SAM generates and sequences the OBD-level operations necessary to implement system-level I/O (input/output) operations, for both simple and aggregate objects.
The installation of the manager and client software to interact with OBDs 12 and perform object-based data storage in the file system 10 may be called a “realm.” The realm may vary in size, and the managers and client software may be designed to scale to the desired installation size (large or small). A realm manager 18 is responsible for all realm-global states. That is, all states that are global to a realm state are tracked by realm managers 18. A realm manager 18 maintains global parameters, notions of what other managers are operating or have failed, and provides support for up/down state transitions for other managers. A performance manager 22 may run on a server that is separate from the servers for other managers (as shown, for example, in
A further discussion of various managers shown in
The fact that clients directly access OBDs, rather than going through a server, makes I/O operations in the object-based file systems 10, 30 different from other file systems. In one embodiment, prior to accessing any data or metadata, a client must obtain (1) the identity of the OBD on which the data resides and the object number within that OBD, and (2) a capability valid on that OBD allowing the access. Clients learn of the location of objects by directly reading and parsing directory objects located on the OBD(s) identified. Clients obtain capabilities (e.g., for updating redundant data) by sending explicit requests to storage managers 16. The client includes with each such request its authentication information as provided by the local authentication system. The SM 16 may then grant requested capabilities to the client, which can then directly access the OBD in question or a portion thereof.
Capabilities may have an expiration time, in which case clients are allowed to cache and re-use them as they see fit. Therefore, a client need not request a capability from the storage manager for each and every I/O operation. Often, a client may explicitly release a set of capabilities to the storage manager (for example, before the capabilities' expiration time) by issuing a Write Done command. There may be certain operations that clients may not be allowed to perform. In those cases, clients simply invoke the command for a restricted operation via an RPC (Remote Procedure Call) to the storage manager 16, and the responsible manager then issues the requested command to the OBD in question.
As noted before, every object stored on an OBD may have an associated set of attributes. For example, one set of values for the {device_ID, object-group_ID, object_ID} attribute triplet for an object may be {SM #3, object-group #29, object #6003 }. It is noted that, in one embodiment, each {device_ID, object-group_ID, object_ID} triplet is a set of virtual (not physical) ID's and is unique in the realm. In other words, even if two objects have the same object_ID, they cannot have the same values for the corresponding {device_ID, object-group_ID, object_ID} triplets. It is noted that other object attributes may include a value identifying the time of creation of the object, and a pointer or flag indicating whether the object is a parent object (e.g., a sub-directory object) or a child object (e.g., a file object).
At client setup time (i.e., when a client is first connected to the network 28), a utility (or discovery) program may be used to configure the client with the address of at least one realm manager 18 associated with that client. The configuration software or utility program may use default software installation utilities for a given operating system (e.g., the Windows® installers, Linux® RPM files, etc.). A client wishing to access the file storage system 10, 30 for the first time may send a message to the realm manager 18 (whose address is provided to the client) requesting the location of the root directory of the client's realm. A “Get Name Translation” command may be used by the client to request and obtain this information. The contacted RM may send the requested root directory information to the client. For example, the root information may identify that the triplet {device_ID, object-group_ID, object_ID} is {SM #3, object-group #29, object #6003}. The client may then contact the SM identified in the information received from the RM (as part of that RM's response for the request for root directory information) to begin resolving path names. The client may probably also acquire more information (e.g., the addresses of all realm managers, etc.) before it begins accessing files to/from OBDs.
After the client establishes the initial contact with the file storage system 10, 30—i.e., after the client is “recognized” by the system 10, 30—the client may initiate a data file write operation to one or more OBDs 12.
The locking strategies illustrated in
It is noted that although CLM 42 and SMLM 46 are shown as separate software entities resident on the client computer 34 and the storage manager 44, respectively, the CLM 42 and SMLM 46 may be integral to the respective client and storage manager software code. In that case, the lock manager functionality may be an integral part of the respective client and storage manager software. In one embodiment, both the CLM 42 and the SMLM 46 are part of the code for respective client and storage manager SAMs. It is also pointed out that the discussion given hereinbelow uses the terms “SMLM” and “SM or storage manager” as well as the terms “CLM” and “client” interchangeably because the focus here is on the ultimate lock manager functionality (which is performed by the corresponding storage manager or client computer) and it may not be critical to identify which specific component or part in the storage manager or client computer is performing that functionality.
As noted, each of the CLM 42 and the SMLM 46 may internally maintain a corresponding lock table to manage lock-related transactions.
On the other hand, the lock table maintained by the SMLM 46 may contain a system-wide record of all locks granted to various clients in the system 10. In other words, the lock table in the SMLM 46 is client-specific (not CAP-specific) and the SMLM 46 may not have knowledge of internal client operations, i.e., which specific CAP in a client is requesting a particular lock. The SMLM 46 may “see” a lock request as a request coming only from a specific client irrespective of internal client software architecture. In one embodiment, the lock table maintained by the SMLM 46 may contain a record of the identity of the client (the client # column in
The SMLM 46 may communicate directly with the CLM 42 over the network 28. When the SMLM 46 decides to grant a lock requested by the CLM 42 (as described later), it may issue the requested lock to the CLM 42 directly, which, in turn, may decide whether to allow a specific CAP 36–40 to obtain the entire lock received from the SMLM 46 or to internally divide the lock into “sub-locks” so that the byte-range associated with the original lock can be divided into non-overlapping “sub-byte-ranges” for sub-locks and then to distribute the sub-byte-ranges among two or more CAPs 36–40.
A lock in the CLM's lock table may be held “active,” i.e., the lock is currently held by the client 34 and some CAP 36–40 is actively using the lock; or, the lock may be held “inactive,” i.e., the lock is currently held by the client 34 but no CAP 36–40 is actively using the lock. When a CAP 36–40 wishes to access a data file object to perform a data read or write operation, the CAP contacts its local CLM 42 to request a byte-range-based read (R) or write (W) lock on the object in question. In one embodiment, the CAP ignores whether it should request a mutex lock (described later hereinbelow) or a simple R/W (readers/writers) lock. The CAP simply requests an R lock (for data reading) or a W lock (for data writing) as defined, for example, by its operating system interface (e.g., the Unix® file system interface or the Windows® file system interface)—the operating system interface allows the CAP to request a read lock or a write lock against a specific file object. Upon receiving the lock request from a CAP 36–40, the CLM 42 scans its lock table. If the lock request is for an R lock and the CLM 42 believes that the object being locked is in the locally held state (whether held “active” or held “inactive”), the CLM 42 may immediately grant the requested lock and mark the lock as “granted”. Otherwise, if a held-inactive lock “subsumes” the requested lock (i.e., if the requested lock's byte-range falls under the byte-range allocated to the held-inactive lock), then the CLM 42 grants the requested lock and marks the lock as held “active” of the appropriate type (R or W lock). On the other hand, if a held-active lock subsumes the requested lock, the CLM 42 may delay the lock grant until the held-active lock is locally released. If no held lock (whether held “active” or “inactive”) subsumes the requested lock, the CLM 42 may issue a network request to the SMLM 46 for the needed lock and delay the lock grant to the lock-requesting CAP 36–40 until the CLM 42 receives the authorization or grant from the SMLM 46.
A capability and/or lock request from a client (i.e., from the CLM in the client) may include a number of message fields conveying information necessary for the SMLM to grant an appropriate capability and/or lock. Some of those fields include an object_ID (virtual) field, an object-group_ID (virtual) field, a device_ID (virtual) field, a read/write field (indicating whether the capability or lock request is for a data read or a data write operation), and a byte-range field (identifying the byte-range in the object where the client wishes to access data—for data read or write operation).
Referring now to
The lock request from the CLM 42 may be either to read data or to write data as depicted at the decision block 52 in
The whole-file lock granted to the client 34 remains valid over the entire file object in question. Thus, the client 34 (i.e., any CAP 36–40 running on the client 34) may continue to perform redundancy updates to the file data on the OBD 48 without contacting the SM 44 for permission (i.e., a capability and a lock) for each update. The client 34 may not need to re-contact SMLM 46 if it wishes to write to some other portion of the file, because the whole-file lock is valid over the entire file. A whole-file lock may be desirable when it is far more common in the system 10 that only one client may be writing any particular file at any one time. Thus, although occasional write-sharing of files may occur, it may still be desirable to reduce the lock-related network traffic by avoiding the need for additional locks when only one client is accessing a particular file. Thus, the first client to request a write lock on a file is optimistically granted a whole-file lock by the relevant storage manager. In the normal case, that may be the only client requesting such a lock, and, hence, no more locking-related network traffic will pass between the client and the SMLM until the lock is released or expires (e.g., along with its associated capability). To further reduce the network traffic, the client may combine its initial lock acquisition request with its initial request for one or more capabilities (read or write). The client may also combine its final lock release message with its release of one or more capabilities (read or write). Thus, considering the locking mechanism in isolation, it may invoke no extra network traffic at all in the normal case.
When write-sharing occurs, i.e., when a request (from another client computer) for a write capability arrives at the SMLM 46 while a whole-file lock is outstanding on some other client (here, the client 34 in
In the write-sharing situation, the SMLM 46 continues to grant mutex locks to all lock-requesting clients until the number of clients holding the locks goes to zero. At this point, the SMLM 46 may purge its lock table records, so that when the next request for a lock arrives, the SMLM 46 will again optimistically grant a whole-file lock as illustrated by the process path comprising the circled letter “B” (reference numeral 68 in
As shown in
Thus, as can be seen from above, it may be very easy for the SMLM 46 to determine (e.g., from its lock table entries) the points in time where there is exactly one client computer writing to any particular file. The detection of this condition by a centralized access-control mechanism (e.g., an SMLM) and the exploitation of this condition by granting a whole-file lock (rather than a byte-range based lock) to this client can substantially reduce lock- and capability-related network communication.
Referring again to
Thus, the CLM 42 may be configured not to request any read lock from the SMLM 46 even if the local CAP 36–40 requests such a read lock internally to the CLM 42. The CLM 42 may simply locally grant the read “lock” (i.e., “authorize” the read operation) to the lock-requesting CAP 36–40 without communicating with the SMLM 46 for the lock (i.e., requesting only a read capability without also requesting a read lock from the SMLM 46). In other words, client-internal read lock grants may be transparent to the SMLM 46 so long as the file system is in the fault-free state. When a fault condition arises, the CLM 42 may be informed of the fault condition (as discussed later hereinbelow) and, hence, may be required to contact SMLM 46 for read (and write) locks along with corresponding capability requests.
Hence, as depicted by one process path comprising the block 66 and the circled letter “A” (reference numeral 50) in
As discussed before, in a fault-free state, there may be no reason for a client application to take read locks. However, in the presence of a failed disk (degraded mode), clients must sometimes read unrelated data in an appropriate order so as to be able to reconstruct the data that was lost by the disk failure. Such ordering may be necessary as, for example, in certain RAID configurations. In that event, read locks may be necessary to guarantee that no other client B is writing this unrelated data while it is being read by client A for the purpose of reconstructing the lost information. Thus, it may be desirable to switch the locking strategy at the transition between the fault-free and degraded modes. However, it may be possible that many clients may be simultaneously reading a block of data at the moment that the transition is made between the fault-free mode and the degraded mode. Since these clients have not acquired read locks from the SMLM, it may not be possible to identify which clients are currently reading this data, and therefore, it may not be possible to know which locks (if any) need to be recalled. However, as discussed earlier, a read (or write) capability is always required before any data can be read (or written) and any issued capability can be immediately revoked by changing certain information on an OBD (e.g., the OBD that has failed) itself. Therefore, to prevent out-of-order data reads and also to maintain synchronized data reads/writes during recovery from disk failures, the SMLM 46 may first invalidate all outstanding read and write capabilities for the file object in question by changing (on the failing OBD), for example, an attribute of the object itself (e.g., the AS (authorization status) field) as indicated by block 72 in
Therefore, by changing an attribute of the file object in question, the SMLM 46 can effectively and efficiently prohibit all clients from reading (or writing) the object in question. Thus, at the transition from the fault-free mode into the degraded mode (and vice versa as indicated by block 78 in
After effecting the mode transition, the SMLM 46 continues issuing byte-range based readers/writers (R/W) locks and corresponding read/write capabilities for data reads/writes as indicated at block 74 in
In one embodiment, at the transition from the degraded mode into the fault-free mode, the storage manager 44 again invalidates all outstanding read and write capabilities, thereby forcing all clients to again return to a central agent (i.e., the storage manager 44) for new capabilities and appropriate new write locks (because no read locks are required in the fault-free state), as indicated by the process path comprising the decision block 76, the block 78, the circled letter “A” (reference numeral 50) and the decision block 70 in
It is noted that various managers (e.g., file managers 14, storage managers 16, etc.) shown and described with reference to
The foregoing describes a methodology wherein two different types of locks are used by a storage manager when multiple clients wish to access a particular redundantly-stored file. Simple byte-range based mutual exclusion (or mutex) locks are granted by the storage manager for data writes/updates to the file when the file is in the fault-free state, and individual readers/writers (R/W) locks are granted by the storage manager when the file is in the degraded state. No read locks are required of clients when the file object is in the fault-free state. Furthermore, during the fault-free state of the file object, when exactly one client is writing to the file object, the storage manger grants that file object a whole-file lock valid over the entire file object even if the client requested a byte-range based lock to perform the data write/update operation. Each client may have a client lock manager that interacts with appropriate storage manager lock manager to request and obtain necessary locks. These various locking mechanisms reduce lock-related network communication overhead in a distributed, object-based data storage system without compromising fault tolerance or recovery from fault conditions.
While the invention has been described in detail and with reference to specific embodiments thereof, it will be apparent to one skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope thereof. Thus, it is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.
Patent | Priority | Assignee | Title |
10949397, | Dec 11 2014 | Amazon Technologies, Inc | Data locking and state management on distributed storage systems |
7853823, | Nov 22 2004 | LinkedIn Corporation | System and method for reconstructing lost data in a storage system |
7870464, | Nov 02 2004 | GLOBALFOUNDRIES Inc | System and method for recovery of data for a lost sector in a storage system |
9201802, | Dec 31 2012 | EMC IP HOLDING COMPANY LLC | Managing read/write locks for multiple CPU cores for efficient access to storage array resources |
Patent | Priority | Assignee | Title |
5950199, | Jul 11 1997 | International Business Machines Corporation | Parallel file system and method for granting byte range tokens |
6173293, | Mar 13 1998 | Hewlett Packard Enterprise Development LP | Scalable distributed file system |
6401170, | Aug 18 1999 | Digi-Data Corporation | RAID systems during non-fault and faulty conditions on a fiber channel arbitrated loop, SCSI bus or switch fabric configuration |
6665675, | Sep 07 2000 | HARMONIC INC | Shared file system having a token-ring style protocol for managing meta-data |
6826570, | Jul 18 2000 | International Business Machines Corporation | Dynamically switching between different types of concurrency control techniques to provide an adaptive access strategy for a parallel file system |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Feb 07 2003 | HOLLAND, MARK C | Panasas, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 013806 | /0726 | |
Feb 21 2003 | Panasas, Inc | (assignment on the face of the patent) | / | |||
May 17 2007 | Panasas, Inc | ORIX VENTURE FINANCE, LLC | SECURITY AGREEMENT | 019501 | /0806 | |
Jun 28 2011 | Panasas, Inc | Silicon Valley Bank | SECURITY INTEREST SEE DOCUMENT FOR DETAILS | 026595 | /0049 | |
May 28 2014 | PANASAS FEDERAL SYSTEMS, INC | AVIDBANK | SECURITY INTEREST | 033062 | /0225 | |
May 28 2014 | Panasas, Inc | AVIDBANK | SECURITY INTEREST | 033062 | /0225 | |
Jun 06 2014 | Silicon Valley Bank | Panasas, Inc | RELEASE OF SECURITY INTEREST | 033100 | /0602 | |
Jun 10 2014 | ORIX VENTURES, LLC FORMERLY KNOWN AS ORIX VENTURE FINANCE LLC | Panasas, Inc | RELEASE OF SECURITY INTEREST | 033115 | /0470 | |
Jun 12 2015 | Panasas, Inc | WHITE OAK GLOBAL ADVISORS, LLC | SECURITY INTEREST SEE DOCUMENT FOR DETAILS | 035958 | /0709 | |
Feb 27 2017 | Silicon Valley Bank | Panasas, Inc | RELEASE BY SECURED PARTY SEE DOCUMENT FOR DETAILS | 041841 | /0079 |
Date | Maintenance Fee Events |
Oct 25 2010 | REM: Maintenance Fee Reminder Mailed. |
Mar 11 2011 | M2551: Payment of Maintenance Fee, 4th Yr, Small Entity. |
Mar 11 2011 | M2554: Surcharge for late Payment, Small Entity. |
Sep 12 2014 | M2552: Payment of Maintenance Fee, 8th Yr, Small Entity. |
Nov 05 2018 | REM: Maintenance Fee Reminder Mailed. |
Mar 07 2019 | M2553: Payment of Maintenance Fee, 12th Yr, Small Entity. |
Mar 07 2019 | M2556: 11.5 yr surcharge- late pmt w/in 6 mo, Small Entity. |
Date | Maintenance Schedule |
Mar 20 2010 | 4 years fee payment window open |
Sep 20 2010 | 6 months grace period start (w surcharge) |
Mar 20 2011 | patent expiry (for year 4) |
Mar 20 2013 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 20 2014 | 8 years fee payment window open |
Sep 20 2014 | 6 months grace period start (w surcharge) |
Mar 20 2015 | patent expiry (for year 8) |
Mar 20 2017 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 20 2018 | 12 years fee payment window open |
Sep 20 2018 | 6 months grace period start (w surcharge) |
Mar 20 2019 | patent expiry (for year 12) |
Mar 20 2021 | 2 years to revive unintentionally abandoned end. (for year 12) |